secure_storage.h - trusty/app/keymaster - Git at Google

 /*
  * Copyright 2017 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 #ifndef TRUSTY_APP_KEYMASTER_SECURE_STORAGE_H_
 #define TRUSTY_APP_KEYMASTER_SECURE_STORAGE_H_

 #include <hardware/keymaster_defs.h>

 namespace keymaster {

 template <typename>
 struct TKeymasterBlob;
 typedef TKeymasterBlob<keymaster_key_blob_t> KeymasterKeyBlob;
 class AuthorizationSet;
 class Key;

 // RSA and ECDSA are set to be the same as keymaster_algorithm_t.
 enum class AttestationKeySlot {
     kInvalid = 0,
     kRsa = 1,
     kEcdsa = 3,
     kEddsa = 4,
     kEpid = 5,
     // 'Claimable slots are for use with the claim_key HAL method.
     kClaimable0 = 128,
     // 'Som' slots are for Android Things SoM keys. These are generic, that is
     // they are not associated with a particular model or product.
     kSomRsa = 257,
     kSomEcdsa = 259,
     kSomEddsa = 260,
     kSomEpid = 261,
 };

 /* The uuid size matches, by design, ATAP_HEX_UUID_LEN in
  * system/iot/attestation/atap. */
 const size_t kAttestationUuidSize = 32;

 /**
  * These functions implement key and certificate chain storage on top Trusty's
  * secure storage service. All data is stored in the RPMB filesystem.
  */

 /**
  * Writes |key_size| bytes at |key| to key file associated with |key_slot|.
  */
 keymaster_error_t WriteKeyToStorage(AttestationKeySlot key_slot,
                                     const uint8_t* key,
                                     uint32_t key_size);

 /**
  * Reads key associated with |key_slot|.
  */
 KeymasterKeyBlob ReadKeyFromStorage(AttestationKeySlot key_slot,
                                     keymaster_error_t* error);

 /**
  * Checks if |key_slot| attestation key exists in RPMB. On success, writes to
  * |exists|.
  */
 keymaster_error_t AttestationKeyExists(AttestationKeySlot key_slot,
                                        bool* exists);

 /**
  * Writes |cert_size| bytes at |cert| to cert file associated with |key_slot|
  * and |index|. The caller can either write to an exising certificate entry, or
  * one past the end of the chain to extend the chain length by 1 (|index| =
  * chain length). Fails when |index| > chain length.
  */
 keymaster_error_t WriteCertToStorage(AttestationKeySlot key_slot,
                                      const uint8_t* cert,
                                      uint32_t cert_size,
                                      uint32_t index);

 /**
  * Reads cert chain associated with |key_slot|. Stores certificate chain in
  * |cert_chain| and caller takes ownership of all allocated memory.
  */
 keymaster_error_t ReadCertChainFromStorage(AttestationKeySlot key_slot,
                                            keymaster_cert_chain_t* cert_chain);

 /*
  * Writes the new length of the stored |key_slot| attestation certificate chain.
  * If less than the existing certificate chain length, the chain is truncated.
  * Input cannot be larger than the current certificate chain length + 1.
  */
 keymaster_error_t WriteCertChainLength(AttestationKeySlot key_slot,
                                        uint32_t cert_chain_length);

 /**
  * Reads the current length of the stored |key_slot| attestation certificate
  * chain. On success, writes the length to |cert_chain_length|.
  */
 keymaster_error_t ReadCertChainLength(AttestationKeySlot key_slot,
                                       uint32_t* cert_chain_length);

 /**
  * Writes the |attestation_uuid|.
  */
 keymaster_error_t WriteAttestationUuid(
         const uint8_t attestation_uuid[kAttestationUuidSize]);

 /**
  * Reads the |attestation_uuid|. If none exists, sets the uuid to all ascii
  * zeros.
  */
 keymaster_error_t ReadAttestationUuid(
         uint8_t attestation_uuid[kAttestationUuidSize]);

 /**
  * Deletes |key_slot| attestation key from RPMB.
  */
 keymaster_error_t DeleteKey(AttestationKeySlot key_slot);

 /**
  * Deletes |key_slot| attestation certificate chain from RPMB.
  */
 keymaster_error_t DeleteCertChain(AttestationKeySlot key_slot);

 /**
  * Delete all attestation keys and certificate chains from RPMB.
  */
 keymaster_error_t DeleteAllAttestationData();

 }  // namespace keymaster

 #endif  // TRUSTY_APP_KEYMASTER_SECURE_STORAGE_H_
	/*
	* Copyright 2017 The Android Open Source Project
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	#ifndef TRUSTY_APP_KEYMASTER_SECURE_STORAGE_H_
	#define TRUSTY_APP_KEYMASTER_SECURE_STORAGE_H_

	#include <hardware/keymaster_defs.h>

	namespace keymaster {

	template <typename>
	struct TKeymasterBlob;
	typedef TKeymasterBlob<keymaster_key_blob_t> KeymasterKeyBlob;
	class AuthorizationSet;
	class Key;

	// RSA and ECDSA are set to be the same as keymaster_algorithm_t.
	enum class AttestationKeySlot {
	kInvalid = 0,
	kRsa = 1,
	kEcdsa = 3,
	kEddsa = 4,
	kEpid = 5,
	// 'Claimable slots are for use with the claim_key HAL method.
	kClaimable0 = 128,
	// 'Som' slots are for Android Things SoM keys. These are generic, that is
	// they are not associated with a particular model or product.
	kSomRsa = 257,
	kSomEcdsa = 259,
	kSomEddsa = 260,
	kSomEpid = 261,
	};

	/* The uuid size matches, by design, ATAP_HEX_UUID_LEN in
	* system/iot/attestation/atap. */
	const size_t kAttestationUuidSize = 32;

	/**
	* These functions implement key and certificate chain storage on top Trusty's
	* secure storage service. All data is stored in the RPMB filesystem.
	*/

	/**
	* Writes \|key_size\| bytes at \|key\| to key file associated with \|key_slot\|.
	*/
	keymaster_error_t WriteKeyToStorage(AttestationKeySlot key_slot,
	const uint8_t* key,
	uint32_t key_size);

	/**
	* Reads key associated with \|key_slot\|.
	*/
	KeymasterKeyBlob ReadKeyFromStorage(AttestationKeySlot key_slot,
	keymaster_error_t* error);

	/**
	* Checks if \|key_slot\| attestation key exists in RPMB. On success, writes to
	* \|exists\|.
	*/
	keymaster_error_t AttestationKeyExists(AttestationKeySlot key_slot,
	bool* exists);

	/**
	* Writes \|cert_size\| bytes at \|cert\| to cert file associated with \|key_slot\|
	* and \|index\|. The caller can either write to an exising certificate entry, or
	* one past the end of the chain to extend the chain length by 1 (\|index\| =
	* chain length). Fails when \|index\| > chain length.
	*/
	keymaster_error_t WriteCertToStorage(AttestationKeySlot key_slot,
	const uint8_t* cert,
	uint32_t cert_size,
	uint32_t index);

	/**
	* Reads cert chain associated with \|key_slot\|. Stores certificate chain in
	* \|cert_chain\| and caller takes ownership of all allocated memory.
	*/
	keymaster_error_t ReadCertChainFromStorage(AttestationKeySlot key_slot,
	keymaster_cert_chain_t* cert_chain);

	/*
	* Writes the new length of the stored \|key_slot\| attestation certificate chain.
	* If less than the existing certificate chain length, the chain is truncated.
	* Input cannot be larger than the current certificate chain length + 1.
	*/
	keymaster_error_t WriteCertChainLength(AttestationKeySlot key_slot,
	uint32_t cert_chain_length);

	/**
	* Reads the current length of the stored \|key_slot\| attestation certificate
	* chain. On success, writes the length to \|cert_chain_length\|.
	*/
	keymaster_error_t ReadCertChainLength(AttestationKeySlot key_slot,
	uint32_t* cert_chain_length);

	/**
	* Writes the \|attestation_uuid\|.
	*/
	keymaster_error_t WriteAttestationUuid(
	const uint8_t attestation_uuid[kAttestationUuidSize]);

	/**
	* Reads the \|attestation_uuid\|. If none exists, sets the uuid to all ascii
	* zeros.
	*/
	keymaster_error_t ReadAttestationUuid(
	uint8_t attestation_uuid[kAttestationUuidSize]);

	/**
	* Deletes \|key_slot\| attestation key from RPMB.
	*/
	keymaster_error_t DeleteKey(AttestationKeySlot key_slot);

	/**
	* Deletes \|key_slot\| attestation certificate chain from RPMB.
	*/
	keymaster_error_t DeleteCertChain(AttestationKeySlot key_slot);

	/**
	* Delete all attestation keys and certificate chains from RPMB.
	*/
	keymaster_error_t DeleteAllAttestationData();

	} // namespace keymaster

	#endif // TRUSTY_APP_KEYMASTER_SECURE_STORAGE_H_